Assignment 1 -

The purpose of this assignment is to have you think about the security environment in which we must operate. It is also intended to have you begin to think about wide-ranging activities that prevent or mitigate security damage.

Suppose that you are in charge of I.T. security at Investors International (I.I.), an investment advice company.  Here are characteristics of I.I.

• Operates 24/7 internationally
• Serves investors with assets between $1M and $10M
• Provides investment services electronically, including analyses, advice, and automated newsfeed analysis.
• Provides Web-based access to information about customers' accounts, including their investment history
• Provides extensive specialized, proprietary investment advice. The advice is of various types (e.g., political implications) and is supplied by vendors to I.I.
• Offers the ability for customers to automatically accept the company's investment advice
• Offers investment consultants from around the world who provide fee-based one-on-one online advice
• Locates its IT facilities in several regions of the U.S. and abroad

Part (i)

List what you consider the four most important, prioritized system security threats to I.I. (no more), together with a summary of organizational and technical responses, in the form below. Justify why you consider these the most important threats for I.I. in particular. Include at least two threat types not mentioned in the online module for week 1.If you wish, you may make additional assumptions about the manner in which I.I. does business; but be sure to describe them in that case.

a) Title

b) Description of security threat               

c) Justification for inclusion with emphasis on risk and potential damage               

d) Organizational response         

e) Technical response

Avoid generic responses. For example, if you believe that an issue concerning viruses should be in your top list of threats to I.I., tell why that is so in the context of discussions on business acquisitions specifically. Take into account, in particular, the kinds of agents who may be security threats because of their interest in I.I.'s business.

Part (ii)

Compare the severity of the threats you selected with each other and with two threats that you considered but found less important that those that you selected.

At this point in the course we are more interested in the quality of your justifications than in their managerial or technical soundness. We want you to get used to thinking in terms of threats and explaining your security thoughts.

Your response should be no longer than 6 pages of 12 point font size in total. You are not required to be detailed in the case of technical responses. Your work on parts (i) and (ii) will be evaluated as a whole rather than separately.

Hints on Preparing for this Homework

• Here is the beginning of an example for a different enterprise.

a) Title: Vulnerability of customer interaction database

b) Description of Security Threat:

Vulnerability of customer interaction database to direct access (rather than via an existing application). This refers to the ability of adversaries to access customer interaction data without going through an approved application, or even through the DBMS...

c) Justification for inclusion

The reason we included this threat as a high priority for Ajax International is the damage that Ajax would incur, given its emphasis on the public good; also the liability ....  A very large loss of business that would result if it were compromised. Ajaxis particularly vulnerable to this threat because ...   

d) Organizational response         

Separate databases into "sensitive," "fairly sensitive," and "non-sensitive" categories. Subject sensitive databases to the scrutiny of independent security auditors. In this way, the security team can focus on the most serious database vulnerabilities. The response plan for intrusion is to switch to the backup site while the vulnerability is being investigated, notify customers if compromise is established, ...

• Keep the evaluation criteria in mind when answering this and all homework's. (The syllabus explains the standards for "A," "B," and "C" work for each of these criteria. Allow time for checking your work for these criteria yourself and improving it accordingly prior to submitting it.)

Assignment 2 -

Security Policies

This exercise is designed to prepare you to write security policies. To accomplish this goal, you may build on available templates; but the exercise requires you to think through the case scenario below. Remember that every enterprise is different and security policies must adapt over time to new threats.  Templates can be a good starting point. There is not enough time in this course for you to write entire policy. Instead, you are asked to identify risks and to start a draft security policy for Wright Aircraft.

The Scenario

Wright Aircraft Corporation creates and sells a proprietary system called "SpecCRAFT" that enables commercial and government carriers to manage and track their aircraft fleet. Using a host of technologies including desktops, smart phones, and various sensors the system transmits data related to air worthiness, maintenance and flight data. Wright Aircraft Corporations personnel maintain the information and infrastructure that clients access through secured Internet access.

The system provides alerts in an automatic and semi-automatic fashion to designate personal within Wright Aircraft's response center when certain parameters are encountered. For example, there would be an alert if an aircraft's engine would be in need of inspection after a certain number of operating hours, if an aircraft becomes unsafe or if an aircraft operated in an environment requiring specialized services. The SpecCRAFT system provides dashboards and enables automation of various activities to clients.  This functionality enables them to operate their aircraft safely and efficiently.

You are the Chief Information Security Officer (CISO) at Wright Aircraft. Your most important responsibility is the protection, integrity and availability of information used within the SpecCRAFT System.  Your responsibilities do not include creating the functionality itself). SpecCRAFT is Wright Aircraft's only product.  Wright Aircraft Corporation will be working closely with the U.S. Department of Defense (DoD) on a project "MilCraft" related to tracking military aircraft and maintenance for fighter jets actively engaged in combat. 

You do not need to know specific information related to the civilian or military aircraft industry.

PART ONE:  After reading through assignment #2, list the most important topics, starting with the most important and finishing with the least important (in your opinion).  Write 5 - 7 sentences for every topic you selected explaining your choice and priority.  Identify at least 5 topics and no more than 10.

PART TWO:  Give headings and subheadings only (not content) for the security policies that you would create for employees to ensure cyber security at Wright Aircraft. The headings and subheading can be expressed in a table of content format.  Be sure to make sections specific toWright Aircraft's business goals.

Explain any additional assumptions or justifications that you want to or need to make (consistent with the description above) about Wright AircraftCorporation or industry.

Hints:

• Tailor the headings to Wright Aircraft's particular business, not a generic business. Boilerplate material is a starting point, but this is not simply an exercise in copying and pasting. You are required here to think through implications to Wright Aircraft's business goals.
• When constructing the heading and sub heading it can help to think about trade-offs, Wright Aircraft does not have unlimited financial resources.
• Peltier contains a wealth of materials, of course, in Chapters 4,6, 7, and 8, and in the appendices. Use Peltier to guide you towards candidatetopics and ideasto include. You must filter what you, as the CISO at Wright Aircraft thinkis relevant to Wright Aircraft business goals.

PART THREE: Wright Aircraft sells and designs aircraft for commercial customers as well as the U.S. military. You will need to do some research on the Internet to determine what, if any special security requirements need to be in place in order to comply with military customers.

a. List three security concerns or regulations required for vendors to do business with the military.

b. Describe at least two policies you would implement to address concerns with the security and/or regulations.

Hints:

• Remember that every enterprise is different and security policies must adapt over time to new threats.
• You must filter what you, as the CISO at Wright Aircraft, thinks is relevant to Wright Aircraft's business goals. Answers should not be for generic businesses.

Attachment:- Assignment Files.rar